CN103795735A - Safety device, server and server information safety achieving method - Google Patents
Safety device, server and server information safety achieving method Download PDFInfo
- Publication number
- CN103795735A CN103795735A CN201410082238.3A CN201410082238A CN103795735A CN 103795735 A CN103795735 A CN 103795735A CN 201410082238 A CN201410082238 A CN 201410082238A CN 103795735 A CN103795735 A CN 103795735A
- Authority
- CN
- China
- Prior art keywords
- server
- safety
- network packet
- safety means
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 12
- 238000011217 control strategy Methods 0.000 claims abstract description 75
- 238000004891 communication Methods 0.000 claims abstract description 46
- 238000012545 processing Methods 0.000 claims abstract description 26
- 230000003993 interaction Effects 0.000 claims abstract description 12
- 238000012550 audit Methods 0.000 claims description 21
- 230000008878 coupling Effects 0.000 claims description 9
- 238000010168 coupling process Methods 0.000 claims description 9
- 238000005859 coupling reaction Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 239000000047 product Substances 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008595 infiltration Effects 0.000 description 1
- 238000001764 infiltration Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safety device, a server and a server information safety achieving method. The safety device comprises a communication module, a firmware module and a processing module. The communication module is used for being in butting joint with an external communication interface provided by the server and achieving information interaction with the server through the interface. The firmware module is used for being provided with at least one safety control strategy in advance. The processing module is used for executing at least one of the safety control strategies to achieve information safety protection of the server in real time when the server detects the safety device. The high-speed safety device (like a safety chip card) which integrates safety control strategies protects the safety of the server, the safe plug and play function of the server is achieved, and the external server can be used as an independent network processing part and is completely separated from an internal gateway at the same time.
Description
Technical field
The present invention relates to server security guard technology field, in particular to a kind of safety means, server and server info safety implementation method.
Background technology
Server is the important component part in enterprises and institutions' information system, and the safety of server is the foundation stone of whole information system security.AUTHORITATIVE DATA shows, in whole information system, nearly 80% data 2 are processed by server, and, along with the development of function and the performance of server, information system to the degree of dependence of server by increasing.Once the events such as unexpected shutdown, unexpected network interruption, assault, significant data are stolen occur, and will cause very large impact to the safety of whole information system, thereby cause very serious loss to enterprises and institutions.
Known ground, the security protection strategy of server is related to the safety problem of information system Core server, and effectively security protection strategy can avoid the Core server of information system to face illegal access, the security threats such as infiltration, viral destruction, backdoor attack, franchise attack, data tampering, data leakage are kidnapped, invaded to information.
In the middle of practical application, extensive application in server and data are all that information system is able to safety, stable and efficient guarantee and the basis of moving, but the present inventor finds, current numerous safety products and technology for server security, as traditional fire compartment wall, IDS(Intrusion Detection Systems, intruding detection system)/IPS(Intrusion Prevention System, intrusion prevention system) etc. be all the safety for protecting network safety or information system itself, but lack the technology that is intended to the Core server of information system to carry out security protection.Therefore also at least there is following potential safety hazard in prior art, in the specific implementation:
One, physics private network user cannot effectively take precautions against third party developer, third party's O&M personnel, risk that even internal staff brings to database;
One, the authority of superuser is not controlled, can obtain at any time, distort any data;
Two, utilize the defect of Web code or utilize the leak of management to permeate by foreground, thereby realizing the unauthorized access to database;
Three, lack complete detailed Data Audit means;
Four, the access of application foreground user to data cannot be recorded end user on database;
Five, utilize caused by inferior database and protocol bug to initiate the directtissima behavior for database;
Six, a large amount of safety products is disposed in server network, effectively the core of security application.
Summary of the invention
For at least one in solving the problems of the technologies described above, the object of the present invention is to provide a kind of server security implementation method, device and server.
In order to achieve the above object, the embodiment of the present invention realizes by the following technical solutions:
A kind of safety means, comprising:
Communication module, docks for the external communication interface providing with server, and by the information interaction of this Interface realization and server;
Firmware module, for being preconfigured at least one safety control strategy;
And processing module, when these safety means being detected when server, carries out at least one in these safety control strategies in real time to realize the protecting information safety of server.
Preferably, described safety means can plug and communicate and be connected with the external communication interface of server;
Or described safety means are integrated on the mainboard of server, and communicate and be connected with the external communication interface of server.
Preferably, when network card chip is in the time getting network packet, described communication module is for obtaining described network packet from described network card chip, and described processing module comprises:
Procotol analytics engine, for carrying out procotol parsing to network packet;
Access control module, the result of resolving according to procotol and at least one safety control strategy of obtaining from safety means are analyzed this active user and whether are accessed safety, in this way, allow this network packet to pass through, otherwise block and notify audit module to check;
Audit module, for checking network packet.
Preferably, described processing module also comprises:
Strategy buffer module, for when the user access server, preserves the safety control strategy that user upgrades and is also updated to firmware module.
Preferably, described processing module also comprises:
Security strategy matching engine, detect for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module to check;
Database protocol analytics engine, resolves for the network packet of permission being passed through according to the characteristic of various database protocol;
Whether SQL syntactic analysis engine, analyzes for database protocol analysis engine being resolved to the SQL statement obtaining according at least one safety control strategy obtaining from safety means, legal to judge the access of database;
Database Security Strategy matching engine, carry out security strategy coupling for the network packet of permission being passed through according at least one safety control strategy obtaining from safety means, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module to check;
Encryption and decryption module, carries out encryption and decryption for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means.
More preferably, described plug the safety means that are connected with server be one card or move media.
A kind of server, it is connected with safety means, and described safety means comprise:
Communication module, docks for the external communication interface providing with server, and by the information interaction of this Interface realization and server;
Firmware module, for being preconfigured at least one safety control strategy;
And processing module, when detecting that when server these safety means are connected on it, carries out at least one in these safety control strategies in real time to realize the protecting information safety of server.
Preferably, described safety means can plug and communicate and be connected with the external communication interface of server;
Or described safety means are integrated on the mainboard of server, and communicate and be connected with the external communication interface of server.
A kind of server info safety implementation method, it comprises:
Server provides external communication interface, and by the information interaction of this external communication interface realization and safety means, wherein, described safety means have been preconfigured at least one safety control strategy, when these safety means are connected to server and time identified by it, carry out in real time at least one in these safety control strategies to realize the protecting information safety of server.
Preferably, described safety means can plug and communicate and be connected with the external communication interface of server;
Or described safety means are integrated on the mainboard of server, and communicate and be connected with the external communication interface of server.
Preferably, when these safety means are connected to server and time identified by it, at least one that carry out in real time in these safety control strategies comprises with the step of the protecting information safety of realizing server:
In the time of user access server, obtain network packet;
Network packet is carried out to procotol parsing;
The result of resolving according to procotol and at least one safety control strategy of obtaining from safety means are analyzed this active user and whether are accessed safety, in this way, allow this network packet to pass through, otherwise block and check.
The network packet of described permission being passed through according at least one safety control strategy obtaining from safety means detects, and to judge whether allowing network packet to pass through, in this way, allows this network packet to pass through, otherwise blocks and check.
The network packet of permission being passed through according to the characteristic of various database protocol is resolved;
,, in this way, allow this network packet to pass through, otherwise block and check to judge whether allowing network packet to pass through allowing the network packet of passing through to carry out security strategy coupling according at least one safety control strategy obtaining from safety means;
The network packet of described permission being passed through according at least one safety control strategy obtaining from safety means is carried out encryption and decryption.
The present invention utilizes the high-speed secure equipment (for example safety chip card) of an integrated security control strategy; the safety of protection server; realize the plug-and-play feature of server security, realize using external server as a separate network processing, isolate completely with internal gateway again simultaneously.Wherein, described safety control strategy includes but not limited to using security strategy, Data Security, operating system security strategy, Database Security Strategy (the encryption and decryption strategy of such as database data, the encryption and decryption strategy of database structure), network security policy and Security Audit Strategy etc.
Accompanying drawing explanation
The safety means illustrative view of functional configuration that Fig. 1 provides for the embodiment of the present invention;
The safety means detailed construction schematic diagram that Fig. 2 provides for the embodiment of the present invention;
The server info safety implementation method schematic flow sheet that Fig. 3 provides for the embodiment of the present invention.
Realization, functional characteristics and the excellent effect of the object of the invention, be described further below in conjunction with specific embodiment and accompanying drawing.
Embodiment
Below in conjunction with the drawings and specific embodiments, technical scheme of the present invention is described in further detail, can be implemented so that those skilled in the art can better understand the present invention also, but illustrated embodiment is not as a limitation of the invention.
As shown in Figure 1 and Figure 2, the embodiment of the present invention provides a kind of safety means 500, comprising:
And processing module 20, in the time that server 600 detects these safety means 500, carries out at least one in these safety control strategies in real time to realize the protecting information safety of server 600.
Those skilled in the art is in conjunction with spirit of the present invention and prior art, be not difficult industrially to realize described communication module 10, firmware module 30 and processing module 20, particularly, described firmware module 30 is by being preconfigured at least one safety control strategy, described processing module 20, in the time that server 600 detects that these safety means 500 are connected on it, is carried out at least one in these safety control strategies in real time to realize the protecting information safety of server 600.
Described security protection includes but not limited to: database particle encryption and decryption, transparent encryption and decryption, ciphertext index and searching ciphertext, database fire compartment wall, database access event are traced to the source, operating system access control, operating system nucleus reinforcing, unstructured data encryption, server admin information, operating state, server management and control, network firewall and access control.Described security strategy includes but not limited to: using security strategy, Data Security, operating system security strategy, Database Security Strategy (the encryption and decryption strategy of such as database data, the encryption and decryption strategy of database structure), network security policy and Security Audit Strategy etc.In the middle of practical application, user can carry out additions and deletions and modification to these safety control strategies.
In addition, described safety means 500 can also provide expansion interface to expand with practical function, for example, for credible calculating, VPN, anti-virus, fingerprint recognition, PKI authenticate, encrypt, apply the safety products such as protection and security audit and technology provides expansion flexibly.
In the present embodiment, described safety means 500 can plug and communicate and be connected with the external communication interface 40 of server 600; Particularly, described safety means 500 are pluggable equipment, and the external communication interface 40 in order to plug safety means 500 that its double communication module 10 that does pluggable terminals provides with server 600 docks.More specifically, in the time that described safety means 500 are pluggable equipment, described pluggable equipment is a card or move media.
In another embodiment, described safety means 500 are integrated on the mainboard of server 600, and communicate and be connected with the external communication interface 40 of server 600.
Preferably, when network card chip 50 is in the time getting network packet, described communication module 10 is for obtaining described network packet from described network card chip 50, wherein, described network card chip 50 can be deployed on server 600, and shown in figure 2, described processing module 20 comprises:
Preferably, described processing module 20 also comprises:
Preferably, described processing module 20 also comprises:
Security strategy matching engine 204, detect for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means 500, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module 206 to check;
Database protocol analytics engine 205, resolves for the network packet of permission being passed through according to the characteristic of various database protocol;
Whether SQL syntactic analysis engine 207, analyzes for database protocol analysis engine 205 being resolved to the SQL statement obtaining according at least one safety control strategy obtaining from safety means 500, legal to judge the access of database;
Database Security Strategy matching engine 208, carry out security strategy coupling for the network packet of permission being passed through according at least one safety control strategy obtaining from safety means 500, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module 206 to check;
Encryption and decryption module 209, carries out encryption and decryption for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means 500.
Below in conjunction with Fig. 3, take the safety means 500 of plug-in as example is described in further detail the specific works step of safety means 500, comprise the following steps:
Step S00, user are installed to safety means 500 to need on the server of security protection 600.
When step S01, user access server 600, tactful buffer module 201 is preserved user's setting, and these settings comprise initiatively server 600 safety control strategies of input of user.
Step S02, user access server 600.
Step S03, safety means 500 obtain network packet by the network card chip 50 of server 600.
Step S04, procotol analytics engine 202 are resolved according to the feature of variety of protocol network packet.
The result that step S05, access control module 203 resolve according to procotol and from safety means 500 safety control strategy that obtain or that directly obtain from tactful buffer module 201, analyze and whether meet access security, if met, allow this network packet to pass through, otherwise block and check.
Step S06, security strategy matching engine 204 are according to from safety means 500, safety control strategy that obtain or that directly obtain from tactful buffer module 201 allows the network packet of passing through to carry out security strategy coupling to access control module 203, whether allow network packet to pass through to check, if do not allowed, block and check.
Step S07, database protocol analytics engine 205 are resolved according to the feature of various database protocol network packet.
Step S08, Database Security Strategy matching engine 208 are according to from safety means 500, database security control strategy that obtain or that directly obtain from tactful buffer module 201 allows the network packet of passing through to carry out security strategy coupling to security strategy matching engine 204, whether allow network packet to pass through to check, if do not allowed, block and check.
Step S09, encryption and decryption module 209 is according to from safety means 500, safety control strategy that obtain or that directly obtain from tactful buffer module 201 judges whether that the data that need to comprise network packet carry out encryption and decryption, if needed, the network packet of according to the safety control strategy that obtains or directly obtain from tactful buffer module 201 from safety means 500, described permission being passed through is carried out encryption and decryption.
Continue with reference to shown in figure 2, the embodiment of the present invention also provides a kind of server 600, and it is connected with safety means 500, and described safety means 500 comprise:
And processing module 20, when detecting that when server 600 these safety means 500 are connected on it, carries out at least one in these safety control strategies in real time to realize the protecting information safety of server 600.
In the specific implementation, described server 600 self is peeled off the various security control softwares that are achieved security protection, such as network firewall software etc.In the time that needs specifically protect corresponding server 600, grasp has the jurisdictional specific user of corresponding safety means 500 only to need these safety means 500 to insert on this server 600, or corresponding user operates the server 600 that is integrated with safety means 500, can realize the security protection of server 600.
Preferably, described safety means 500 can be the move medias such as a card or USB flash disk, can plug to communicate with the external communication interface 40 of server 600 to be connected;
Or described safety means 500 are integrated on the mainboard of server 600, and communicate and be connected with the external communication interface 40 of server 600.
Similarly, when the network card chip 50 of server 600 is in the time getting network packet, the communication module 10 of described safety means 500 is for obtaining described network packet from described network card chip 50, and described processing module 20 comprises:
Preferably, described processing module 20 also comprises:
Preferably, described processing module 20 also comprises:
Security strategy matching engine 204, detect for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means 500, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module 206 to check;
Database protocol analytics engine 205, resolves for the network packet of permission being passed through according to the characteristic of various database protocol;
Whether SQL syntactic analysis engine 207, analyzes for database protocol analysis engine 205 being resolved to the SQL statement obtaining according at least one safety control strategy obtaining from safety means 500, legal to judge the access of database;
Database Security Strategy matching engine 208, carry out security strategy coupling for the network packet of permission being passed through according at least one safety control strategy obtaining from safety means 500, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module 206 to check;
Encryption and decryption module 209, carries out encryption and decryption for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means 500.
As shown in Figure 3 and with reference to figure 2, the embodiment of the present invention also provides a kind of server 600 information security implementation methods, and it comprises the steps:
S10, server 600 provide external communication interface 40, and by the information interaction of these external communication interface 40 realizations and safety means 500, wherein, described safety means 500 have been preconfigured at least one safety control strategy, when these safety means 500 are connected to server 600 and time identified by it, carry out in real time at least one in these safety control strategies to realize the protecting information safety of server 600.
In the present embodiment, described safety means 500 can plug and communicate and be connected with the external communication interface 40 of server 600; In the present embodiment, in the time realizing server 600 concrete application, by adopting the safety means 500 of integrated security feature and network interface card function, only safety means 500 need be inserted to the corresponding interface of server 600, make server 600 in the time carrying out practical business, by carrying out information interaction with safety means 500, select at least one described safety control strategy to carry out security control processing, can realize the security protection of server 600.
Or in another embodiment, described safety means 500 are integrated on the mainboard of server 600, and communicate and be connected with the external communication interface 40 of server 600.In this embodiment, in the time realizing server 600 concrete application, by adopting the safety means 500 of integrated security feature and network interface card function, and just safety means 500 are integrated on the mainboard of server 600, make server 600 in the time carrying out practical business, by carrying out information interaction with safety means 500, select at least one described safety control strategy to carry out security control processing, can realize the security protection of server 600.
According to spirit of the present invention, those skilled in the art should learn: described in be written into safety means 500 safety control strategy include but not limited to using security strategy, Data Security, operating system security strategy, Database Security Strategy (the encryption and decryption strategy of such as database data, the encryption and decryption strategy of database structure), network security policy and Security Audit Strategy etc.In the middle of practical application, user can carry out additions and deletions and modification to these safety control strategies.
Preferably, when these safety means 500 are connected to server 600 and time identified by it, at least one that carry out in real time in these safety control strategies comprises with the step of the protecting information safety of realizing server 600:
S100, in the time of user access server 600, obtain network packet;
S100, network packet is carried out to procotol parsing;
S100, the result of resolving according to procotol and at least one safety control strategy of obtaining from safety means 500 are analyzed this active user and whether are accessed safety, in this way, allow this network packet to pass through, otherwise block and check.
S100, the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means 500 detect, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and check.
S100, the network packet of permission being passed through according to the characteristic of various database protocol are resolved;
S100, the network packet of permission being passed through according at least one safety control strategy obtaining from safety means 500 are carried out security strategy coupling, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and check;
S100, the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means 500 are carried out encryption and decryption.
The foregoing is only the preferred embodiments of the present invention; not thereby limit the scope of the claims of the present invention; every equivalent structure or conversion of equivalent flow process that utilizes specification of the present invention and accompanying drawing content to do; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (11)
1. safety means, is characterized in that, comprising:
Communication module, docks for the external communication interface providing with server, and by the information interaction of this Interface realization and server;
Firmware module, for being preconfigured at least one safety control strategy;
And processing module, when these safety means being detected when server, carries out at least one in these safety control strategies in real time to realize the protecting information safety of server.
2. safety means as claimed in claim 1, is characterized in that, described safety means can plug and communicate and be connected with the external communication interface of server;
Or described safety means are integrated on the mainboard of server, and communicate and be connected with the external communication interface of server.
3. safety means as claimed in claim 1, is characterized in that, when network card chip is in the time getting network packet, described communication module is for obtaining described network packet from described network card chip, and described processing module comprises:
Procotol analytics engine, for carrying out procotol parsing to network packet;
Access control module, the result of resolving according to procotol and at least one safety control strategy of obtaining from safety means are analyzed this active user and whether are accessed safety, in this way, allow this network packet to pass through, otherwise block and notify audit module to check;
Audit module, for checking network packet.
4. safety means as claimed in claim 3, is characterized in that, described processing module also comprises:
Strategy buffer module, for when the user access server, preserves the safety control strategy that user upgrades and is also updated to firmware module.
5. safety means as claimed in claim 3, is characterized in that, described processing module also comprises:
Security strategy matching engine, detect for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module to check;
Database protocol analytics engine, resolves for the network packet of permission being passed through according to the characteristic of various database protocol;
Whether SQL syntactic analysis engine, analyzes for database protocol analysis engine being resolved to the SQL statement obtaining according at least one safety control strategy obtaining from safety means, legal to judge the access of database;
Database Security Strategy matching engine, carry out security strategy coupling for the network packet of permission being passed through according at least one safety control strategy obtaining from safety means, to judge whether allowing network packet to pass through, in this way, allow this network packet to pass through, otherwise block and notify audit module to check;
Encryption and decryption module, carries out encryption and decryption for the network packet of described permission being passed through according at least one safety control strategy obtaining from safety means.
6. safety means as claimed in claim 2, is characterized in that, the described safety means that are connected with server that plug are a card or move media.
7. a server, is characterized in that, described server is connected with safety means, and described safety means comprise:
Communication module, docks for the external communication interface providing with server, and by the information interaction of this Interface realization and server;
Firmware module, for being preconfigured at least one safety control strategy;
And processing module, when detecting that when server these safety means are connected on it, carries out at least one in these safety control strategies in real time to realize the protecting information safety of server.
8. server as claimed in claim 7, is characterized in that, described safety means can plug and communicate and be connected with the external communication interface of server;
Or described safety means are integrated on the mainboard of server, and communicate and be connected with the external communication interface of server.
9. a server info safety implementation method, is characterized in that, comprising:
Server provides external communication interface, and by the information interaction of this external communication interface realization and safety means, wherein, described safety means have been preconfigured at least one safety control strategy, when these safety means are connected to server and time identified by it, carry out in real time at least one in these safety control strategies to realize the protecting information safety of server.
10. server info safety implementation method as claimed in claim 9, is characterized in that, described safety means can plug and communicate and be connected with the external communication interface of server;
Or described safety means are integrated on the mainboard of server, and communicate and be connected with the external communication interface of server.
11. server info safety implementation methods as claimed in claim 9, it is characterized in that, when these safety means are connected to server and time identified by it, at least one that carry out in real time in these safety control strategies comprises with the step of the protecting information safety of realizing server:
In the time of user access server, obtain network packet;
Network packet is carried out to procotol parsing;
The result of resolving according to procotol and at least one safety control strategy of obtaining from safety means are analyzed this active user and whether are accessed safety, in this way, allow this network packet to pass through, otherwise block and check;
The network packet of described permission being passed through according at least one safety control strategy obtaining from safety means detects, and to judge whether allowing network packet to pass through, in this way, allows this network packet to pass through, otherwise blocks and check;
The network packet of permission being passed through according to the characteristic of various database protocol is resolved;
,, in this way, allow this network packet to pass through, otherwise block and check to judge whether allowing network packet to pass through allowing the network packet of passing through to carry out security strategy coupling according at least one safety control strategy obtaining from safety means;
The network packet of described permission being passed through according at least one safety control strategy obtaining from safety means is carried out encryption and decryption.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410082238.3A CN103795735B (en) | 2014-03-07 | 2014-03-07 | Safety means, server and server info safety implementation method |
| PCT/CN2014/073567 WO2015131412A1 (en) | 2014-03-07 | 2014-03-18 | Security device, server and method for achieving information security of server |
| US14/338,015 US20150256558A1 (en) | 2014-03-07 | 2014-07-22 | Safety device, server and server information safety method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410082238.3A CN103795735B (en) | 2014-03-07 | 2014-03-07 | Safety means, server and server info safety implementation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103795735A true CN103795735A (en) | 2014-05-14 |
| CN103795735B CN103795735B (en) | 2017-11-07 |
Family
ID=50671021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410082238.3A Expired - Fee Related CN103795735B (en) | 2014-03-07 | 2014-03-07 | Safety means, server and server info safety implementation method |
Country Status (3)
| Country | Link |
|---|---|
| US (1) | US20150256558A1 (en) |
| CN (1) | CN103795735B (en) |
| WO (1) | WO2015131412A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847280A (en) * | 2016-05-06 | 2016-08-10 | 南京百敖软件有限公司 | Security management method based on firmware |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105468984A (en) * | 2015-11-19 | 2016-04-06 | 浪潮电子信息产业股份有限公司 | Method and device for realizing safety of operation systems |
| CN106850285A (en) * | 2017-01-19 | 2017-06-13 | 薛辉 | Video security monitoring device, auditing system and its deployment architecture and method |
| CN108768996A (en) * | 2018-05-23 | 2018-11-06 | 国网河南省电力公司漯河供电公司 | A kind of detection guard system of SQL injection attack |
| CN109547457B (en) * | 2018-12-07 | 2021-08-17 | 北京万维兴业科技有限责任公司 | Network isolation system with 'micro-interaction' function |
| CN109618337A (en) * | 2019-02-01 | 2019-04-12 | 华普电力有限公司 | Data transmission system in wireless communication system |
| CN109871281B (en) * | 2019-02-22 | 2023-06-06 | 南方电网科学研究院有限责任公司 | Data interaction method and device based on InSE security chip |
| CN110166997A (en) * | 2019-06-21 | 2019-08-23 | 广东科徕尼智能科技有限公司 | A kind of system increasing smart lock network data security |
| CN113114622A (en) * | 2021-03-08 | 2021-07-13 | 北京世纪安图数码科技发展有限责任公司 | Real estate registration multi-source heterogeneous data exchange method |
| CN113055397A (en) * | 2021-03-29 | 2021-06-29 | 郑州中科集成电路与信息系统产业创新研究院 | Configuration method and device of security access control policy |
| CN113810366A (en) * | 2021-08-02 | 2021-12-17 | 厦门天锐科技股份有限公司 | Website uploaded file safety identification system and method |
| CN113949539A (en) * | 2021-09-27 | 2022-01-18 | 广东核电合营有限公司 | Protection method for network security of KNS system of nuclear power plant and KNS system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1509558A (en) * | 2001-03-14 | 2004-06-30 | ��������ķ������ | Protable device for securing packet traffic in host platform |
| CN1567808A (en) * | 2003-06-18 | 2005-01-19 | 联想(北京)有限公司 | A network security appliance and realizing method thereof |
| CN101188493A (en) * | 2007-11-14 | 2008-05-28 | 吉林中软吉大信息技术有限公司 | Teaching and testing device for network information security |
| CN101252487A (en) * | 2008-04-11 | 2008-08-27 | 杭州华三通信技术有限公司 | Method for processing safety warning and safety policy equipment |
| CN101281570A (en) * | 2008-05-28 | 2008-10-08 | 北京工业大学 | Credible computing system |
Family Cites Families (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7159116B2 (en) * | 1999-12-07 | 2007-01-02 | Blue Spike, Inc. | Systems, methods and devices for trusted transactions |
| US7904454B2 (en) * | 2001-07-16 | 2011-03-08 | International Business Machines Corporation | Database access security |
| US7178724B2 (en) * | 2003-04-21 | 2007-02-20 | Stmicroelectronics, Inc. | Smart card device and method used for transmitting and receiving secure e-mails |
| US7506371B1 (en) * | 2004-01-22 | 2009-03-17 | Guardium, Inc. | System and methods for adaptive behavior based access control |
| US8613091B1 (en) * | 2004-03-08 | 2013-12-17 | Redcannon Security, Inc. | Method and apparatus for creating a secure anywhere system |
| US8510300B2 (en) * | 2004-07-02 | 2013-08-13 | Goldman, Sachs & Co. | Systems and methods for managing information associated with legal, compliance and regulatory risk |
| EP1813073B1 (en) * | 2004-10-29 | 2010-07-21 | Telecom Italia S.p.A. | System and method for remote security management of a user terminal via a trusted user platform |
| CN101160839B (en) * | 2005-03-11 | 2013-01-16 | 富士通株式会社 | Access control method, access control system and packet communication apparatus |
| US7624436B2 (en) * | 2005-06-30 | 2009-11-24 | Intel Corporation | Multi-pattern packet content inspection mechanisms employing tagged values |
| CA2975694C (en) * | 2005-07-15 | 2020-12-08 | Indxit Systems, Inc. | Systems and methods for data indexing and processing |
| US7605933B2 (en) * | 2006-07-13 | 2009-10-20 | Ricoh Company, Ltd. | Approach for securely processing an electronic document |
| US8495357B2 (en) * | 2007-12-19 | 2013-07-23 | International Business Machines Corporation | Data security policy enforcement |
| US20110252456A1 (en) * | 2008-12-08 | 2011-10-13 | Makoto Hatakeyama | Personal information exchanging system, personal information providing apparatus, data processing method therefor, and computer program therefor |
| US10148438B2 (en) * | 2012-04-03 | 2018-12-04 | Rally Health, Inc. | Methods and apparatus for protecting sensitive data in distributed applications |
| US9384349B2 (en) * | 2012-05-21 | 2016-07-05 | Mcafee, Inc. | Negative light-weight rules |
| US8973132B2 (en) * | 2012-11-14 | 2015-03-03 | Click Security, Inc. | Automated security analytics platform with pluggable data collection and analysis modules |
| US9306947B2 (en) * | 2012-11-14 | 2016-04-05 | Click Security, Inc. | Automated security analytics platform with multi-level representation conversion for space efficiency and incremental persistence |
-
2014
- 2014-03-07 CN CN201410082238.3A patent/CN103795735B/en not_active Expired - Fee Related
- 2014-03-18 WO PCT/CN2014/073567 patent/WO2015131412A1/en active Application Filing
- 2014-07-22 US US14/338,015 patent/US20150256558A1/en not_active Abandoned
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1509558A (en) * | 2001-03-14 | 2004-06-30 | ��������ķ������ | Protable device for securing packet traffic in host platform |
| CN1567808A (en) * | 2003-06-18 | 2005-01-19 | 联想(北京)有限公司 | A network security appliance and realizing method thereof |
| CN101188493A (en) * | 2007-11-14 | 2008-05-28 | 吉林中软吉大信息技术有限公司 | Teaching and testing device for network information security |
| CN101252487A (en) * | 2008-04-11 | 2008-08-27 | 杭州华三通信技术有限公司 | Method for processing safety warning and safety policy equipment |
| CN101281570A (en) * | 2008-05-28 | 2008-10-08 | 北京工业大学 | Credible computing system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105847280A (en) * | 2016-05-06 | 2016-08-10 | 南京百敖软件有限公司 | Security management method based on firmware |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015131412A1 (en) | 2015-09-11 |
| CN103795735B (en) | 2017-11-07 |
| US20150256558A1 (en) | 2015-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103795735A (en) | Safety device, server and server information safety achieving method | |
| US10230750B2 (en) | Secure computing environment | |
| CN105409164B (en) | Rootkit detection by using hardware resources to detect inconsistencies in network traffic | |
| Rhee et al. | Security requirements of a mobile device management system | |
| US20130086685A1 (en) | Secure integrated cyberspace security and situational awareness system | |
| Kaur et al. | A comparative evaluation of data leakage/loss prevention systems (DLPS) | |
| Ibarra et al. | Ransomware impact to SCADA systems and its scope to critical infrastructure | |
| CN115314286A (en) | Safety guarantee system | |
| KR20190121483A (en) | Apparatus and method of blocking malicious code based on whitelist | |
| US10769267B1 (en) | Systems and methods for controlling access to credentials | |
| KR101416618B1 (en) | An Intrusion Prevention System Using Enhanced Security Linux kernel | |
| CN102098313A (en) | Waterproof wall system and authentication method thereof | |
| KR101614809B1 (en) | Practice control system of endpoint application program and method for control the same | |
| Sharma et al. | Implementation Analysis of Ransomware and Unmanned Aerial Vehicle Attacks: Mitigation Methods and UAV Security Recommendations | |
| Johnson | Civil aviation and cybersecurity | |
| Kakareka | Detecting system intrusions | |
| Cappelli et al. | The Key to Successful Monitoring for Detection of Insider Attacks | |
| Alert | Advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations | |
| Sarralde et al. | Cyber security applied to P&C IEDs | |
| EP4365742A1 (en) | Computer-implemented system and method for recovering data in case of a computer network failure | |
| CN102855447A (en) | Method for protecting application security of Web | |
| KR102107415B1 (en) | Method for providing cyber secure guide | |
| Kumar | Analysis of key critical requirements for enhancing security of web applications | |
| Globa et al. | Securing internet of things data | |
| Alnuaimi et al. | Optimizing Edge Security: Comprehensive Analysis and Mitigation Strategies for Securing Edge Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220309 Address after: 518052 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.) Patentee after: Shenzhen maianxin Technology Co.,Ltd. Address before: 518000 floor 17, maikelon building, Gaoxin South Sixth Road, high tech Industrial Park, Nanshan District, Shenzhen, Guangdong Province Patentee before: SHENZHEN MICROPROFIT ELECTRONIC Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171107 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |